Forum Discussion

Samir_Jha_52506's avatar
Samir_Jha_52506
Icon for Noctilucent rankNoctilucent
May 19, 2015

Content Adaptation for HTTP Requests with Symantec

Hi Team,

 

I need your help to configure content adaption request on f5 LTM. F5 is integrated with Symantec using ICAP protocol. When any infected malicious request comes; Symantec send 201 response which is not processed further and response halt on F5 before reaching back to user. Symantec can only send 201 and 403 request for infected request. 201 response states new response created against actual request. As per F5 all infected request ICAP response should be either go to 200 or 204 to forward response back to users.

 

Action points: 1.We have to send infected file scanning response back to users. As per current scenario which is possible only if ICAP response will be 200 and 204 on F5. 2.To implement this we have to perform traffic modification on F5 so that if any infected request will be forwarded to Symantec it’s return response should be 200 or 204. Or in other way we have to do some modification on Symantec ICAP 201 response to get it change to 204 on F5.

 

Recommendation:

 

F5

 

Symantec

 

3 Replies

  • Is it possible to check ICAP response. Either replace icap response 201 with 204 or send request header 204 in icap request. Also if possible icap response comes with 201 icap status then session will be drop by F5 before forwarding to webserver and user notification will be sent.

    I tried below iRule but not worked.

                when ICAP_RESPONSE { 
               if { [ICAP::status] contains "201" } {  
                       [ICAP::status] replace 204
                              pool pool_testing
                    }
                }
    OR
                when ICAP_RESPONSE { 
                     if { [ICAP::status] contains "201" } {  
                  set [ICAP::status] 204
                   pool pool_testing
                     }
                }
    
  • Have you had an luck with this? A few of us are trying to accomplish the same thing.

     

  • Use:

    uri icap://${SERVER_IP}:${SERVER_PORT}/AVSCANREQ\?action=scan

    The SYMC* responses with 201 what can break the F5. This req is backward-compatible. Responses 200 instead of 201, and the ADAPT::response will be "respond" instead of the undefined state.